We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files - you will be prompted to download the .rb file - the same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types...

vi /etc/mime.types

... and comment out the application/x-ruby line:

[...]
#application/x-ruby rb
[...]

Restart Apache:

/etc/init.d/apache2 restart

Now .rb files will be executed and displayed in the browser, just like .rbx files.

In the next chapter (15.1) we are going to disable PHP (this is necessary only if you want to install ISPConfig on this server). Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it.

15.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/mime.types and comment out the application/x-httpd-php lines:

Before you install ISPConfig, there's one important thing you must do. Open /usr/include/stdio.h and replace getline with parseline in line 651:

vi /usr/include/stdio.h

[...]
This function is not part of POSIX and therefore no official
cancellation point. But due to similarity with an POSIX interface
or due to the implementation it is a cancellation point and
therefore not marked with __THROW. */
extern _IO_ssize_t parseline (char **__restrict __lineptr,
size_t *__restrict __n,
FILE *__restrict __stream) __wur;
#endif
[...]

If you don't do this, the installation will fail because of the following error:

So if you want to use suExec with ISPconfig, don't change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can't change the web root anyway so you'll be able to use suExec in any case).

It may seem obvious to most of the people that access this page but I struggled for a few hours figuring out how to
enable phpmyadmin from the web. I found out that I needed the symbolic link from phpmyadmin to the www directory:

Because you advised to use a password for root instead of leaving it blank, I believe the first user that you created during install (Administrator) is not set up to use sudo. I could very well be wrong!

To the above commenter: Nobody is set up for sudo in debian, by default. If you with to use sudo (I'm told it is not recommended, but I do), you must set it up manually (see: http://wiki.debian.org/sudo).

To the author of this article: I'd like to know why I would want to disable php (or python or ruby, for that matter.) globally.You explain very well how to do a lot of things here, but you often do not explain why. For instance, what does quota do? I did an apt-cache show quota, and it didn't clear that up for me much. I have a computer here I used to use as a desktop, and I just installed apache2, mysql-server, pureftp, some wordpress and dokuwiki on it, and am serving up some stuff (see http://blinguas.homelinux.net/ ), but it's my first time ever trying to run/admin a server (been making sites on paid hosting for a decade, figured it was time to learn the rest of the game). I ran an ircd on it for a few days, too, but only one guy dropped in to chat, a fellow tcl hacker and debianero. The ftp server is incredibly handy. I can keep files there and access them from my phone or laptop, anywhere. I can also ssh in from my phone (droid does!), although I generally admin the box from my main machine, via ssh. This is all immensely fun (probably because I don't do it for a living?).

I'm thinking of wiping the hdd and starting from scratch with these instructions, since the machine was set up as a desktop 2 years ago, with lenny, just upgraded to squeeze.(At the same time, I figure if anything goes loopy on my main machine, having another desktop handy would be, well, handy. After all, my main job is translating stuff, not being a web admin).

I'd like to have this article on one page (so I can write it to a pdf and keep it around for future reference). I'm sure it will come in very handy if I continue playing with this stuff (and I will).

After following this tutorial for the perfect server and installing ISPConfig-2, I had to load ISPConfig manually after the machine finished booting. I discovered that since the release of Debian Squeeze, the auto-loading of software processes is different. I found out what to do to make ISPConfig load when linux boots. It works for me so I'm going to share the information. Do the following after you install ISPConfig and it should load ISPConfig when your server boots up:

1) Delete any files that have "ispconfig_server" in their name under the following directories. (The names will be similar to "S99ispconfig_server" or "K99ispconfig_server"):

2) load "/etc/init.d/ispconfig_server" into your favorite text editor and make sure the following is at the very beginning of the script. Empty lines are important. Make sure there is an empty line between lines with content:
#!/bin/bash
### BEGIN INIT INFO
# Provides: ISPConfig Server
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short Description: Start ISPConfig on boot
# Description: Enable server provided by ISPConfig
### END INIT INFO
3) After saving your changes in "/etc/init.d/ispconfig_server", run the following command:
insserv ispconfig_server
4) Now check to see if ISPConfig is loading on boot by restarting your machine. I hope this information is useful. If this doesn't work then there is a completely different problem that I am unaware of.

On your LOCAL computer, edit the SSH known_hosts file and remove any entries that point to your server address. If this is a brand new server then you will not need to do this, but a reinstall will result in a different signature.

# nano -w ~/.ssh/known_hosts

If you are not using Linux on your LOCAL computer, the location of the known_hosts file will differ. Please refer to your own OS for details of where this file is kept.

As soon as you have your IP address and password for your login via SSH:

$ ssh root@123.45.67.890

User administration

Now we're logged in to the server, add a user:

# adduser serveradmin

As you know we never log in as the root user (this initial setup is the only time you would need to log in as root). As such, the main administration user (serveradmin) needs to have sudo (Super User) privileges so he can, with a password, complete administrative tasks.

Give the 'visudo' command:

# visudo

At the end of the file add:

serveradmin ALL=(ALL) ALL

SSH preparation

One effective way of securing SSH access to your server is to use a public/private key. This means that a 'public' key is placed on the server and the 'private' key is on our local workstation. This makes it impossible for someone to log in using just a password - they must have the private key.

This is very simple with ssh-copy-id.

We already have our admin user created (serveradmin), so on your local workstation enter the command:

ssh-copy-id -i ~/.ssh/id_rsa.pub serveradmin@123.45.67.890

We use the -i option to specify which file (identity) to copy across to the server. The user is then specified followed by the IP address of the server.

So what happens when the command is entered? Firstly you will need to enter the user's password so it can have secure access to the server. Then it creates a 'hidden' directory called .ssh and copies the public key to a file named 'authorized_keys'.

It then automatically changes the permissions so that only the owner (serveradmin) can read or write to the file.

It's always a good idea to check the settings on something as important as this so let's have quick look at the permissions:

You can also open the authorized_keys file and make sure only your key was copied across and it is not full of unknown keys.

Remember that this is the only time you'll need to enter the SSH password as the file we just copied over will authorize the admin user 'serveradmin' to SSH in without it - but only if they have the private key on their local workstation: it won't work from any workstation.

SSH config

Next we'll change the default SSH configuration to make it more secure:

I think the setting are fairly self explanatory but the main thing is to move it from the default port of 22 to one of your choosing, turn off root logins and define which users can log in.If you use ISPConfig don't use the "AllowUsers" set to just one user.

PasswordAuthentication has been turned off as we setup the public/private key earlier. Do note that if you intend to access your server from different computers you may want leave PasswordAuthentication set to yes. Only use the private key if the local computer is secure.

Add Virtual terminals

sudo aptitude install screen

To start a screen session simply enter the command:

screen

Press the space bar to remove the introduction page and to activate any custom bash_profile entries, enter: source ~/.bash_profile

Because the Debian Squeeze installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.1.80) (please note that I replace allow-hotplug eth0 with auto eth0; otherwise restarting the network doesn't work, and we'd have to reboot the whole system):

nano -w /etc/network/interfaces

_________________________________

# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).

29. Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

nano -w /etc/fstab

_________________________________

# /etc/fstab: static file system information.## Use 'blkid' to print the universally unique identifier for a# device; this may be used with UUID= as a more robust way to name devices# that works even if disks are added and removed. See fstab(5).## <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc defaults 0 0# / was on /dev/sda1 during installationUUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 / ext3 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1# swap was on /dev/sda5 during installationUUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none swap sw 0 0/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

47. Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

48. Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":

# Short name of this saslauthd instance. Strongly recommended.# (suggestion: saslauthd)NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)## Available options in this Debian package:# getpwent -- use the getpwent() library function# kerberos5 -- use Kerberos 5# pam -- use PAM# rimap -- use a remote IMAP server# shadow -- use the local shadow password file# sasldb -- use the local sasldb database file# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)## Only one option may be used at a time. See the saslauthd man page# for more information.## Example: MECHANISMS="pam"MECHANISMS="pam"

# Additional options for this mechanism. (default: none)# See the saslauthd man page for information about mech-specific options.MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)# A value of 0 will fork a new process for each connection.THREADS=5

# Other options (default: -c -m /var/run/saslauthd)# Note: You MUST specify the -m option or saslauthd won't run!## WARNING: DO NOT SPECIFY THE -d OPTION.# The -d option will cause saslauthd to run in the foreground instead of as# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish# to run saslauthd in debug mode, please run it by hand to be safe.## See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.# See the saslauthd man page and the output of 'saslauthd -h' for general# information about these options.## Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"#OPTIONS="-c -m /var/run/saslauthd"OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

___________________________________________

49. Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):

54 a) Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

69. Before you install ISPConfig, there's one important thing you must do. Open /usr/include/stdio.h and replace getline with parseline in line 651:

nano -w /usr/include/stdio.h

______________________________________________

[...] This function is not part of POSIX and therefore no official cancellation point. But due to similarity with an POSIX interface or due to the implementation it is a cancellation point and therefore not marked with __THROW. */extern _IO_ssize_t parseline (char **__restrict __lineptr, size_t *__restrict __n, FILE *__restrict __stream) __wur;#endif[...]

______________________________________________

70. You can undo the change to /usr/include/stdio.h after the successful ISPConfig installation (but don't forget to change it back whenever you want to update ISPConfig!).

71. A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian's suExec is compiled with /var/www as Doc_Root.

This isn't an error with Debian or ISPConfig but I decided to post a fix here for everyone setting up a new system. It is an error in PHP5.

You should notice your administrator account on your server is getting flooded with server emails every 30 minutes by PHP5 complaining that "#" has been depreciated for commenting. To fix this, just load the following file into your favorite text editor "/etc/php5/conf.d/ming.ini" and replace the pound sign "#" with a semicolon ";" and save. Then reboot your server and no more email flooding to your administrator account.

My previous post has errors. It should have been a new comment, not a reply. Also, The directories to look in and delete files are wrong, they should be:
/etc/rc0.d/
/etc/rc1.d/
/etc/rc2.d/
/etc/rc3.d/
/etc/rc4.d/
/etc/rc5.d/
/etc/rc6.d/

After following this tutorial for the perfect server and installing ISPConfig-2, I had to load ISPConfig manually after the machine finished booting. I discovered that since the release of Debian Squeeze, the auto-loading of software processes is different. I found out what to do to make ISPConfig load when linux boots. It works for me so I'm going to share the information. Do the following after you install ISPConfig and it should load ISPConfig when your server boots up:

1) Delete any files that have "ispconfig_server" in their name under the following directories. (The names will be similar to "S99ispconfig_server" or "K99ispconfig_server"):

2) load "/etc/init.d/ispconfig_server" into your favorite text editor and make sure the following is at the very beginning of the script. Empty lines are important. Make sure there is an empty line between lines with content:
#!/bin/bash
### BEGIN INIT INFO
# Provides: ISPConfig Server
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short Description: Start ISPConfig on boot
# Description: Enable server provided by ISPConfig
### END INIT INFO
3) After saving your changes in "/etc/init.d/ispconfig_server", run the following command:
insserv ispconfig_server
4) Now check to see if ISPConfig is loading on boot by restarting your machine. I hope this information is useful. If this doesn't work then there is a completely different problem that I am unaware of.